Category Archives: technology

Post navigation

Best general-purpose Operating System

QubesOS is still (and has been for some years) the most secure general-purpose operating system for computer users who wish to protect their privacy and maintain control over their computers and data. It’s great to see the Qubes OS project to gain a lot of mainstream traction and recognition.

I recommend Qubes OS for any power user who can handle the added administration/knowledge required.

Best Operating System to use in hostile situations

TAILS is still the best operating system for use in hostile situations – when one needs to keep what they’re doing on a computer as discreet as possible.

Best way of communicating securely/privately with others

For day-to-day secure communication I recommend the Signal app on an Android phone or iPhone, or on your personal computer. It’s the only app via which I will share photos/videos of my kids with friends and family, or indeed the only app via which I will discuss anything with anyone.

Email is not dead yet, but given how horrible its privacy features are, its use should be reduced to just the few cases for which an instant messaging application like Signal is not convenient.

Why use encrypted email?

It’s simple: the government is reading your emails. Edward Snowden’s revelations make this a plain truth. If you are not an American citizen it’s a little bit worse, because at least two governments are reading your emails: yours, and the American government.

There are many plugins/addons/guides out there that claim to “encrypt” your email, so that “nobody can read it”. Most of those are nonsense. There is currently only one well-known way of encrypting emails so that only the intended recipient will read them. That is the OpenPGP protocol. So if you’re not using the commercial PGP product, the free GnuPG product, or another well-known product that follows the OpenPGP protocol, your emails can still be read by the government.

But if you’ve been following the news you will wonder “Hang on – if OpenPGP is secure, why did a bunch of prominent Internet security experts like the Silent Circle board decide to shut down their Silent Mail service (which used OpenPGP)?” The answer is that OpenPGP is based on cryptographic keys. And Silent Mail tried to manage your keys for you, which made Silent Circle vulnerable to the law – as the law in most countries states that government agencies can force companies to disclose such secrets.

Therefore, the problem was key concentration. If Silent Circle holds all the keys, the FBI slaps them with a few subpoenas and grabs all of our secret keys. Heck, Silent Circle can not even tell us about it – by law!

So, OpenPGP is still considered trustworthy as a technology – what doesn’t work is concentrating key management, because by law the government can grab all secret keys, which will allow them to read all encrypted emails we’ve sent using those keys.

But what if we just manage our own keys? The government would not legally compel all of its citizens – directly, on a one-by-one basis – to give up their secrets. That would be much less politically palatable than a program like PRISM, where they just suck out the data from our service providers (Google, Yahoo!, Microsoft, Apple etc).

Using OpenPGP and managing our own keys, then, is the best we can do right now. Let me show you how.

Note: This tutorial will focus on making using encrypted emails as easy as possible. We will propose settings that are optimised for convenience, not security. If you are a journalist, an activist, a politician or anyone who needs a setup as secure as possible, let me know in the comments and I will propose more secure but inevitably slightly less convenient settings.

Setting up encrypted email

For this example, I will use a free Gmail account and setup access from my Windows 7 computer. Note that this method is not Gmail specific. It will work for any email account out there.

Run “Thunderbird Setup (version).exe” to install Thunderbird on your computer.

Connect Thunderbird with your email account

As soon as setup is finished and Thunderbird launches, you are asked whether you’d like a new email address. Let’s skip this for now and go with your existing email address.

(For this example I will use the Gmail account jdoe18293@gmail.com)

Fill in your name, email address and Gmail password.

Thunderbird checks for the settings of your email provider

…and, in the case of a well-known service as Gmail, finds the right settings:

If everything works and the dialog disapears with no errors, great. If not, verify that whichever access method you choose (POP or IMAP), is supported and enabled for your account. For our example (Gmail), follow these instructions to enable IMAP.

If you see the following window, with your email account on the top left, you have configured Thunderbird correctly. Congratulations!

Get the encryption addon (EnigMail)

Click on the “menu” icon on the top right and then “Addons“.

Search for “enigmail” and install the addon.

Click on “Restart Now” – this will only restart Thunderbird, not your computer.

After Thunderbird has restarted, close the Add Ons tab – you’re done with this.

Create your encryption keys

Go to Options -> OpenPGP -> Setup Wizard

Go through the wizard, adjusting only the following settings:

In the “Signing” step of the wizard choose “No, I want to create per-recipient rules for emails that need to be signed“.

In the “No OpenPGP Key Found” step of the wizard choose “I want to create a new key pair for signing and encrypting my email”

In the “Create Key” step, choose the passphrase that will be required to read or send encrypted emails.

Note: Choose something that is easy to type and not too long. (remember, we’re optimising for usability here)

When the wizard completes, you will be prompted to generate a revocation certificate. This is a good idea – it’s like an insurance policy for when you lose your key:

Save this file on your Desktop for now – you can decide where to store it permanently (away from your computer! – e.g. on a CDROM or a USB stick you keep in a safe place) later.

Your passphrase is needed to generate the revocation certificate:

… at which point you are done!

Congratulations, you have created cryptographic keys and setup your email program to use them!

Sending email

You can only exchange encrypted emails with people who also use OpenPGP. Before you can send people encrypted email, you need to make your public key available to the world, otherwise your recipients will not be able to read your emails.

Publishing your public key

Open Thunderbird and click on its “options” button. Then OpenPGP -> Key Management.

Tick “Display All Keys by Default”:

Now click on your name (John Doe) to select your keys and go to Keyserver -> Upload Public Keys

In the next prompt just click OK:

Congratulations – you have published your public keys on the keyservers. Now anyone using OpenPGP can send you encrypted and signed email, and people can read the encrypted emails you send them!

Sending your first encrypted email

Let’s email our friend Bob. He also has a Gmail account and his Gmail address is anon7889@gmail.com

To start composing a new message in Thunderbird you click the “Write” button:

This brings up a new email window, where you can address and type your message.

Notice the pen and the key icons in the lower right corner? They are greyed-out, i.e. inactive, i.e. you are currently not signing (pen) or encrypting (key) your message.

Let’s click on the key icon to enable message encryption – the icon becomes colourful (gold), which means encryption has been activated:

Let’s attempt to send this message – click the “Send” button. You have just asked Thunderbird to encrypt this message for Bob (anon7889@gmail.com) – but Thunderbird hasn’t got Bob’s public key! And this is how public key encryption works – you need to have people’s public keys before you can encrypt stuff for them – and only them – to read. Therefore, Thunderbird complains that your recipient has not been found (in your OpenPGP keyring):

And lo! Bob’s public key is there. Just tick it and click OK to import Bob’s key on your keyring. You only need to do this once.

If all went well, Thunderbird lets you know the import was successful:

Great, now you have Bob’s key. You have a new greyed-out line with Bob’s email address. Tick the box of that line and click on “Create per-recipient rule(s)“.

Here you will tell Thunderbird to always use this key to sign and encrypt your emails to Bob.

Click on “Select Key(s)…“:

…and make sure the line with Bob’s address is selected before clicking OK:

Now tell Thunderbird to always sign and encrypt your messages to Bob by changing these fields to “Always“:

Clicking “OK” closes this window and immediately prompts you for your passphrase, as you’re just about to cryptographically sign a message to somebody – that requires access to your secret key, which can only be accessed with the passphrase you setup earlier:

As soon as you hit “OK” with that passphrase – oh my! Look at all this gibberish – that’s encrypted text, otherwise called “ciphertext”. This is what the spooks will now see. This is what Google will store. This is what Bob will see as well, but because he has the right private key, he will be able to decrypt this ciphertext into your plaintext email message.

See, it doesn’t matter that Google and the spooks can still read your email, because now it looks like gibberish, and it can only be decrypted and read by your intended recipients (in this case, Bob). You can use this method to communicate in private with anyone in the world, as long as they use OpenPGP too.

Congratulations! You have just sent you first cryptographically signed and encrypted message, using the most robust encryption technology known to mankind: OpenPGP.

Sending your second, third… 1000’th email

Things are much simpler now that you’ve done all the hard work in advance. All you need to do is compose an email to Bob. Thunderbird will automatically sign and encrypt your message with the right key, so that only Bob can read it. Pretty slick.

Notice the blue “+” next to the pen and the key? That means your message to Bob will be automatically

signed – so that Bob knows the message came from you and it has not been altered in any way) and

encrypted – so that no one else but Bob can read its contents.

Enjoy your private chats with Bob!

Receiving email

Receiving OpenPGP encrypted email is not a problem – you just need to provide your passphrase and you will be able to read the message.

be forced to go through a Tor proxy, tunnelling all their traffic through the Tor network

be forced to go through a VPN proxy, tunnelling all their traffic through the VPN.

The beauty of this setup is that once we have our proxyVMs setup, we don’t need to worry about the configuration of any network-level data leaks of the AppVMs that use the proxies.

Example: setting up a Tor proxyVM and then assigning this as the netvm of 5 different AppVMs will force all network traffic from all 5 AppVMs through the Tor network, with no configuration/awareness in the AppVMs themselves! This setup is covered quite well already in http://qubes-os.org/trac/wiki/UserDoc/TorVM

Creating the setup

How to setup a “workvpn” proxyVM that allows us to tunnel any “work” related AppVMs we have through work’s (in this case Cisco) VPN gateway as shown here:

From Qubes Manager: VM -> Create AppVM

Name: workvpn. Select the ProxyVM radio button and OK.

In a couple of seconds your new VM is created. Go to the “K” menu and fire up a terminal in your new workvpn VM.

Create the file vpn.conf with the following contents, substituting your VPN provider’s values:

Now tell your work-related AppVMs to use workvpn as their network VM. To do this, right-click on the AppVMs in Qubes VM Manager and select “VM Settings”. In the “Basic” tab ensure that “NetVM” is set to “workvpn”

You’re all set.

Using this setup

When you fire up any of your AppVMs that need to use the VPN, workvpn will automatically start. You will then need to fire up a terminal in workvpn and type

./start_vpn.sh

(of course after the first time you can just hit the “up” arrow and the command will be there for you)
This will connect you to your work’s VPN and allow all AppVMs that use this as their netvm to seamlessly talk to internal work systems, while leaving the rest of your QubesOS AppVMs unaffected, reaching the Internet either directly or through Tor.

Silent Circle’s CEO takes a rather optimist view on the state of the cryptowars. If only we could reasonably assume that the all-star team of technologists he mentions are incorruptible by the full weight of the nexus of global government/corporate complex, we should see the sunny side of things too.
Yes, learning at least part of the truth due to Snowden is a reason to celebrate – we now know what is done in our name. But what we have learned is so sobering and matches our most dystopian projections so well, at the same time generating so little outrage around the world, that I still cannot be optimistic about a better future.

There have been so many disclosures, revelations and speculations since Snowden fled and the media trickled out one tantalizing slide after the next- that it’s hard not to get overwhelmed. It’s hard not to get angry.

Now that the sheer scope and massive worldwide surveillance of the NSA has come to light over the last few months, it seems as if a veritable cloud of “Privacy Depression” has set in lately among citizens and the technology community at large. Adding to that hot mess is the willing complicity of the tech giants, backbone providers and hardware manufactures. Fuel to the fire.

Yes, there are some feigning outrage, some with true concern, and others calling for heads-on-a-platter while western intelligence agencies and big technology firms hunker down and hope it all goes away. It won’t. It’s only going to get worse for them and the government.

They realise that secure endpoint operating systems are an absolute requirement for any real privacy. What’s the point of protecting data in transit with PGP, when the spooks can remotely take over your machine and grab your stuff from the source? So they’ve taken the time to learn how to use Qubes OS – a security-by-separation operating system based on Xen and Fedora GNU/Linux.

Alice and Bob will use the non-networked “vault” AppVM to create and store their master cryptographic keys. They will then create a “daily use” keypair which will be available to their “personal” AppVM to send emails to each other.

Note: OpenPGP key management is complicated. To protect you from mistakes, this tutorial sets the expiry date of keys to one week after their creation. Once you are comfortable with this process you can always extend the life of your keys.

Generate a revocation certificate

A general-purpose revocation certificate that specifies no reason why you are revoking your keys:

[user@vault ~]$ gpg --output revocation.cert --gen-revoke alice
sec 4096R/32D49659 2013-08-15 Alice <alice@domain.com>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
>
Reason for revocation: No reason specified
(No description given)
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "Alice <alice@domain.com>"
4096-bit RSA key, ID 32D49659, created 2013-08-15
Enter passphrase: <Alice's long passphrase>
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
[user@vault ~]$

See that “#”? That means that the master signing key is not there. Congratulations – this is your daily-use, lower-risk keyring! It only contains Alice’s encryption and signing subkeys, but no master (certification) signing key.

Move the daily-use keyring to Alice’s “personal” AppVM

Alice runs her email client and exchanges email with Bob using her “personal” AppVM. She therefore needs to have her daily-use keyring there.

Alice has generated new OpenPGP keys in a secure environment (the vault)

Alice created a “lesser” version of her keyring that excludes the all-important certification key. This “lesser” version will be used for daily use to communicate with Bob and anyone else using OpenPGP. If this “lesser” version of her keys is stolen (e.g. because the attacker compromises Alice’s “personal” AppVM), the attacker will not be able to create more keys in Alice’s name, or assign Alice’s trust to other keys. Alice only has to revoke her key and the attacker is left with nothing.

Alice created a backup of her full certification keyring in a secure environment, the vault.

Publishing your public key on a keyserver for others to find

She should publish her key on the keyservers so that her friend Bob can easily find it: (note that the key to be sent must be selected with its key ID:

…Alice can verify her key has been successfully published. All she needs to do is visit http://sks.keyservers.net/ and search for her email or name, then verify that the fingerprint shown matches the one of her local key.

In the meantime, Bob has been busy doing these exact same steps on his computer, for his name and email address. His key, tied to his email address bob@domain.com has also been published to the keyservers. He has also taken a proactive security precaution and only exposed a “lesser” version of his keyring to his networked AppVMs, with his certification key safely stored in the vault.

Communicating

Alice and Bob want to send private emails to each others. Emails about apple pie and silly gossip and deep meaningful conversations. It doesn’t matter. They just want to keep their conversations private. If they’ve both followed the steps above, this is what they need to do to email each other in private.

Importing Bob’s key

Alice needs to import Bob’s (public) key from the keyservers. She asks the keyserver to find Bob’s key:

Whoops – found multiple keys – but once she selected Bob’s key, it was automatically imported into Alice’s keyring.

Verifying Bob’s key

Alice can already use this key to send Bob private email messages or files, but she wants to be really really certain that is Bob’s key, and not some impostor’s! Alice either meets or calls Bob on the phone and asks him to read out to her his key’s fingerprint. She verifies it matches the fingerprint of the key she imported from the keyservers:

Fingerprints of public keys are public information. So Alice and Bob don’t need to worry about other people listening in. Their fingerprints are not secret.

Great! So far Alice and Bob have generated and successfully exchanged keys. Now all they need to do is use an application like Thunderbird with the Enigmail plugin (on Windows/Mac/Linux) or K9 with the APG app (on Android) to exchange encrypted and signed emails and files, being pretty certain that nobody can read or alter the contents of their messages.

When disaster strikes

Oh no! Alice’s smartphone has been stolen! Or one of her AppVMs might have opened an infected PDF, or ran some suspicious Java applet that might have installed a trojan on her personal AppVM. Nothing in that AppVM can be trusted any longer. This includes the GnuPG keys she was using on a daily basis.

Luckily Alice is prepared.

Revoking compromised keys

Alice needs to use her safe environment (the vault) to revoke the compromised subkeys (she only exposed subkeys to her networked AppVMs and devices, remember?) and optionally issue new ones.

The beauty of this is that she does not have to throw away the whole key. Alice can carry on using the same master key, which may, over the years, have accumulated a lot of trust from other Web Of Trust members. She just needs to revoke the compromised subkeys and issue new ones.

Working with our master key

Alice fires up her vault and imports the master keyring she had backed up when she created her keys:

You have now revoked the two compromised subkeys and may create new subkeys with your untainted master key that was kept safe in your vault all along. Whoever managed to compromise your keys may be able to read everything encrypted with those keys (if they kept copies of the ciphertext).

Here’s a few people who had both the guts and the skill to improve our world.

The guy on the left is Richard Stallman, founder of the Free Software Foundation, intellectual leader of the Free Software movement, who has tirelessly, often in the face of mockery, preached his gospel: Software is knowledge, and knowledge should be free for all.

Here he’s grinning alongside Julian Assange, Wikileaker extraordinaire, persecuted by the world’s most powerful governments, for months now unable to leave the Ecuadorian embassy in London. Assange had the balls to give us knowledge and to not stand down when the powers that be threatened him and came after him.

They are holding a picture of Edward Snowden, the latest NSA whistleblower who had the balls to throw away his comfortable, high-earning, high-status life to give us all some of the raw truth about how our governments operate. About how we have allowed our societies to resemble George Orwell’s 1984 to a worrying degree. He’s also prosecuted by the most powerful governments of this world.

Here’s a well-written biography of Edward Snowden, which captures the issues the world is facing after his brave disclosures succinctly. Highly recommended reading.

Now that the most powerful nation states of the world have been caught performing wholesale surveillance on us, their citizens, and have responded with a “so what?”, the question arises… what are we, the citizens caught in a surveillance society to do?

It seems to me there are five broad strategies:

1. Retreat

Leave the big cities. Stop using credit cards and mobile phones. Live off the land. Read only paper books. Send snail mail. Use cash. Deny your children education in and enjoyment of modern technology.

2. Ignore

Carry on your life as if PRISM did not exist. Suppress the inconvenient knowledge that you have acquired. Hope it’ll all be okay, since you will always toe the line of whatever establishment you happen to operate under. Leave your children uninformed about what’s going on, or just tell them “that’s normal, that’s how it’s always been”. Carry on using Facebook, surf the web while being logged into Yahoo!, Google or Hotmail, carry on syncing all your Apple iThings content to “the cloud”. Chat with your loved ones over Skype/Google Talk/FaceTime/WhatsApp/MSN/Facebook and all the other “freebie” services that are surveillance chambers. Have photos of your kids online.

3. Hide (with technical means)

Use Tor for surfing the web, PGP to encrypt your email, ZRTP to encrypt your voice/video calls, OTR to encrypt your chats, learn how to manage your keys securely, use secure operating systems like Qubes OS. This approach is inconvenient, difficult to do properly even for experts, network effects penalise you because others will not communicate with you in compatible (private) ways and therefore it will be difficult to communicate with them. Loathing by others because you’re visibly putting barriers between them and you. A losing battle, but buys you and (if you manage to convert them to your cause and if they are capable of following) your loved ones some privacy and decency, even though what you are practically doing is hiding.

“Cast your whole vote, not a strip of paper merely, but your whole influence.” Subvert the system in any (non-violent) way possible. Stop obeying the rules of a system that is immoral. Become as vocal as possible and follow your words with actions. No matter what the consequences to you personally, it’s worth it if we all fight together. Remember that “A minority is powerless while it conforms to the majority; it is not even a minority then; but it is irresistible when it clogs by its whole weight.”

Most people will want to do a combination of different elements of the above – although a clear strategy that balances pain to you with protection for your family is difficult to describe.